Conversation
security(R8): CODEOWNERS trust root + SHA-pin signing actions (client#282)
… + cosign-verify) (#299) The Windows bootstrap (install.ps1) fetched install-k8s.ps1 from a mutable branch with no signature/checksum verification — the R8 supply-chain gap for Windows (RFC-0001 R8, backend#889 / client#283). Mirror scripts/install.sh: - install.ps1: pin to the stamped immutable release tag (fail-closed if the installer is unstamped or handed a mutable ref, unless TRACEBLOC_ALLOW_UNVERIFIED=1); fetch install-k8s.ps1 from the tag tree; cosign verify-blob the signed manifest (same keyless identity/issuer pins as install.sh, with a nonzero-sentinel guard so a cosign that can't launch fails closed); sha256-check each sub-script; fail closed at every gate. Functions load under $env:TB_PESTER for unit testing. - gen-manifest.sh: cover install-k8s.ps1 via a parallel WINDOWS_FILES list so one signed manifest anchors both entrypoints; keep the strict install.sh sync-check intact and add the equivalent install.ps1 $Files sync-check. - release-helm-chart.yaml: stamp install.ps1's $DefaultRef with the release tag (awk literal-replace, tag via env, anchored to the assignment so the fail-closed guard sentinel survives) + a pwsh self-test + publish install.ps1 as a release asset (so `irm .../releases/latest/download/install.ps1 | iex` is pinned). - Pester tests for ref-resolution / fail-closed / integrity; wire PSScriptAnalyzer and the Pester run to cover install.ps1. - CODEOWNERS: add install.ps1 + install-k8s.ps1 to the R8 trust-root section. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Release carrier for the R8 supply-chain hardening now on develop (#287 CODEOWNERS/SHA-pins, #299 Windows install.ps1 pin+cosign-verify). The client chart templates are unchanged since v1.8.4; the bump versions the release that stamps + publishes the hardened install.sh/install.ps1 + signed manifest as release assets (RFC-0001 R8, client#283). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
shujaatTracebloc
approved these changes
Jul 2, 2026
Contributor
Author
|
Applying |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes the R8 supply-chain hardening to
mainfor the v1.8.5 release.Contents:
install.ps1pins to the immutable release tag + cosign-verifiesinstall-k8s.ps1against the signed manifest;gen-manifest.sh+ the release workflow cover the Windows entrypoint; Pester coverageChart templates are unchanged since v1.8.4 — this release ships the hardened installers as signed release assets.
After merge — cut the release (this is what activates Windows R8 in prod):
v1.8.5targetingmain(generate notes) → triggersrelease-helm-chart.yaml:sign-installer-manifeststamps + publishesinstall.shandinstall.ps1, generates + cosign-signsmanifest.sha256(now coveringinstall-k8s.ps1), attaches.sig/.cert.client-1.8.5.tgz+ingestorto gh-pages.https://github.com/tracebloc/client/releases/latest/download/install.ps1returns 200, and the new PowerShell stamp/self-test steps went green.Merge as a merge commit to match the prior promotions (#294, #278). Closes #283 (Windows R8) on release.
🤖 Generated with Claude Code
Note
High Risk
Changes define what privileged Windows installs trust (cosign, manifest, release stamping and workflow assets); mistakes could weaken or break production
irm | iexpaths.Overview
v1.8.5 promotes RFC-0001 R8 supply-chain hardening to
main, with the main functional change being Windows parity with the existinginstall.shbootstrap.install.ps1is no longer a thin “downloadinstall-k8s.ps1from a branch” script. It now pins to an immutable release tag ($DefaultRef, stamped at publish time), cosign-verifiesmanifest.sha256, checksinstall-k8s.ps1against that manifest before anything runs elevated, and fails closed withoutTRACEBLOC_ALLOW_UNVERIFIED=1.gen-manifest.shandmanifest.sha256now include the Windows sub-script, with CI drift checks againstinstall.ps1’s$Fileslist.The release workflow stamps and self-tests
install.ps1likeinstall.sh, shipsinstall.ps1on the GitHub release next to the signed manifest assets, and SHA-pins key Actions. CODEOWNERS expands to cover the R8 trust-root paths. Installer CI runs PSScriptAnalyzer on both PowerShell entrypoints and Pester overscripts/tests(newinstall.Tests.ps1). Chartversion/appVersionbump 1.8.4 → 1.8.5 only.Reviewed by Cursor Bugbot for commit 6f62dfd. Bugbot is set up for automated code reviews on this repo. Configure here.